Comments and answers for "How to edit my search to exclude the top 20 noisy results and return the rest?"https://answers.splunk.com/answers/747654/how-to-edit-my-search-to-exclude-the-top-20-noisy.html
The latest comments and answers for the question "How to edit my search to exclude the top 20 noisy results and return the rest?"Answer by Vijetahttps://answers.splunk.com/answering/747680/view.html
@phant0mgh0st Try something like below to exclude top 20 noisy results
source="x" | stats count by a,b | fields + a,b,count | sort 0 count desc | streamstats count as id| where id > 20Tue, 21 May 2019 16:04:39 GMTVijetaAnswer by koshykhttps://answers.splunk.com/answering/747263/view.html
The reason is because, sort limits to 10K [results][1] by default settings.
An easier option is to do the limiting before itself
source="x" | top a by b
[1]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/sortTue, 21 May 2019 15:44:12 GMTkoshykAnswer by KailAhttps://answers.splunk.com/answering/747262/view.html
Hello,
After sorting your data, you can try that :
| streamstats count as nb
| where nb > 20
This will remove the first 20 rows of your table :)
Let me know if it helps you.Tue, 21 May 2019 15:42:12 GMTKailA